Duo Security Duo Unix from Debian Package

Leave a reply

In the last post, I wrote about trying to install Duo-Unix from source and the problems I encountered, which led me to install from the bookworm Duo Security repository, even though I’m running Debian Forky (Testing). During the testing, while writing the post (to get screenshots), I found out that the problem was more on my server side.

However, with Duo needing to be updated by tomorrow (February 2nd) to use the latest CA bundle, I used some workarounds to install the Debian package from their site.

I’ve reset my virtual machine and done a fresh update to get the latest packages. I’m running Debian Forky (current testing).

Returning to the Duo-Unix page, they do have options for installing on different distributions. The page says they tested against Trixy (Debian 13), but the commands are still for Stretch and older. They also don’t include the signing key info in the source list file.

Continue reading

Building from Duo Unix from Source

Leave a reply

Note: In the end, the problem I had building from source appears to have been incomplete / canceled apt upgrades.

As I mentioned earlier this week, I had to upgrade the Duo Security Multifactor Authentication software, known as Duo Unix. This software allows PAM access control with a multifactor authenticator to access my SSH boxes. An interesting aside: the same software is also handling the Web Server traffic for logging in to WordPress.

Note: After doing upgrades to my server, which had problems. I can now get ./configure working, so part of it sounds like my box was the issue due to an incomplete partial update.

Set up note, for this blog, I’m not redoing the work on my server, but running on a fresh install of Debian testing (Forky). I’ve already installed the kernel headers and build-essentials packages for use with the VirtualBox Guest Additions, so I’ll skip that below. If you don’t have those, you should make sure they’re installed. I don’t know if the headers are needed, but I’ve always grabbed those for installing from source.

When I originally built the software, I don’t think Duo Security was providing the Debian .deb packages for installation. Or if they were, they were not the same software revision at the time. For the upgrade, I decided to switch to the Debian package this time. That will be the next blog post. Needless to say, after some time working with their documentation and trying to get the apt command to work, I decided it might be faster to build from source again.

Spoiler alert, it wasn’t.

Continue reading

Dealing with Burnout (or Why I Haven’t Been Posting)

Leave a reply

I’ve spent the last year dealing with burnout, and really shut down overall on tech, which is part of the reason the blog hasn’t had much done on it, even though I have several blog ideas (projects and results, or industry trends I’m seeing and want to comment on) that are in the wings. Like the last couple of honeypot series posts, “Does Cyberchef call home or leakdata”, some stuff on pihole, and some things on Android Wi-Fi.

Instead, I’ve been doing things working with my hands, mostly gardening and woodworking. Occasionally, I’ll get to go hiking; although, does short rail-to-trail hiking really count? Also, hills don’t care how many rail-to-trail miles you have recently.

Lastly, my current day job doesn’t have many techies on the team. Most of them come to work, do the job, and go home. I think there are three of us who have “home labs”, and we don’t see each other in the office much, which prevents the good tech build discussions.

However, the last few weeks I’ve been doing a little more tech work. I had to get the AWS Cloud Practitioner Foundational certification for work. I’ve had to update Duo Security’s MFA software, and I made some changes to my mail server to prep for migrating to Dovecot 2.4, which I should have done already, but I’ve been dealing with burnout.

Today has been fun, though. I’ve built a new VM to redo the Duo MFA installs and to blog about the issues. I’ve had. I had to create the Debian VM several times, and I’m still trying to get Guest Additions to work right. It’s been so long since I set up a VM that I’ve forgotten many of the tweaks I used to memorize. I also managed to mess up my Debian install from when I built my PC several years ago. The updates seemed to break something. I’ll probably have to reinstall if updating the BIOS (based on errors in the logs) doesn’t fix it.

Duo MFA CA Bundle experiation soon

Leave a reply


For those that don’t know, Duo Security has been sending out emails since at least the end of August about their CA certificate bundle expiring on February 2nd, 2026. The main point was to upgrade your system so you can keep using Duo Security’s MFA on ssh, web servers, etc.

The last time I installed Duo’s MFA tool, I built it from source. The upgrade, which includes the new certs, appears to have been successful, but it took about 6 hours to get it working.

I say it appears to be successful because before the upgrade to the current version, every login would generate an email and log entry in the Duo unsupported (can’t get an update to the CA bundle) log panel on the admin site.

I haven’t seen any new entries or received any new emails since the upgrade, but it was an adventure to get it working. I’ll share a more thorough write-up before February 2nd, in case anyone else gets stuck.

Netcat Honeypot Build Walk-through

Leave a reply

Please note that some of the links below may be affiliate links. As an Amazon Associate, I earn from qualifying purchases.

Half a honeycomb block

Half a honeycomb block

As mentioned in the last blog post, this one will be about setting up a Raspberry Pi to monitor the network for potential malicious activity. Because knowledge of the device on the network is limited, any connectivity activity to the device’s listener ports should be investigated.

While this can be built in a VM or on repurposed hardware, the actions for the build are the same. However, for this, I’m going to build on a Raspberry Pi. I’ll provide some recommendations, but what you order is up to you. I like to have as many Gigabytes as possible for memory, but smaller ones should work.

Continue reading

My Intrusion Detection Honeypot

2 Replies

Please note that some of the links below may be affiliate links. As an Amazon Associate I earn from qualifying purchases.

For the last several years, I’ve been working on a honeypot system to detect “east to west” internal traffic that doesn’t go “north to south” to the internet. The reason is to detect potential threat actors moving laterally in the network. While this doesn’t catch all internal to internal traffic, it does alert on internal traffic to the device. The need for such a device came from a job several years ago.

At a place where I worked, the managers would comment that we could see North-South traffic to and from the internet. But we couldn’t detect potentially malicious East-West traffic internally between systems. We could see East-West between Zones, but not systems in the same zone.

Which lead to the suggestion of Honeypots. Both Management and Legal said we can’t have a honeypot because they believe them to be entrapment devices. Management also didn’t want to give threat actors a beachhead device to take over and use to attack other devices.

What was needed was a device that could act like an alarmed/monitored door, that would alert when used. Something that had next to zero interaction. It took a couple of years but I found a workable solution with Chris Sanders’ Intrusion Detection Honeypots (affiliate link).

Continue reading

Always remember to document with screenshots when doing investigations

Leave a reply

I’ve been looking for a job. I applied to one recently and came across something a little scammy. Seconds after getting a thank you for applying email, I got an email saying I had to run software to prove I met the requirements to work from home. Plug the computer into the modem and run their test. Wasn’t happening on my daily driver. I ran it through some VMs.

The link in the email was for what looks like a head hunter software firm. It redirected to the company’s website. The company I applied to. I tested with Flare Vm running on Proxmox on an old I3 server I have. The Flare VM passed everything but the processor test. It wanted an i5 or higher. I didn’t bother to get screenshots, because I thought I’d run it again on something with a newer processor.

I spent today (the day I wrote the blog post, not the day it was published) setting up a Flare VM on my laptop. I loaded up the Flare VM, and started Wireshark, Regshot, and Procmon. I started Edge, went to the link again, only to get a blank page with no option to test. Note: The site said after I ran the test to try again from another computer. But there was nothing there to run this time.

There were two takeaways from this.

1. I should have built some Flare VMs sooner, because they take a while to build. Build them before you want to use them.

2. Follow the rules of getting screenshots and taking notes as you work because it would have made a great blog post walking through the steps.

Updating still

Leave a reply

I’m still going through updating the old links. The good news is that my RSS feed didn’t start bringing back the old posts that I’ve been updating. The bad news is that I had to delete my feed from The Old Reader and re-add my RSS feed.

I do plan on getting back to writing soon. I’ve opened the FAIR and CTI posts. I want to get back to those. I also want to write up some of the Honeypot stuff I’ve been working on over the last several years. I don’t think I ever did a book review on Chris Sanders’ book Intrusion Detection Honeypots, which got me started and I’ve been expanding on. Also, I want to compare and contrast Intrusion Detection Honeypots running NetCat listeners vs. OpenCanary.

* Note the amazon links above are alffilate links, for which I earn a commission from qualifying purchases.